Google should be applauded for spending a year studying how cybercriminals highjack account login credentials and expose them in the cyberspace.

The search giant’s findings are astounding and instructive. Stolen passwords get channeled into the dark web in two main ways: one at a time, via phishing campaigns, or en masse, via data breaches, such as the Yahoo and Uber ones.

From March 2016 to February 2017, Google found that 12 million username and passwords were successfully phished, and some 3.3 billion records were stolen as the result of data breaches. This means that every 24 hours an average of nine million logins are stolen.

Gmail and the Google Cloud Platform are deeply interwoven with corporations and consumers’ lives – even people with personal Gmail accounts use their work email as a recovery account.

Now think about the online retail implications: how many times have you been shopping online and getting confirmations via Gmail? What data does that expose?

The Javelin Strategy and Research Identity Proofing Platform Scorecard, issued in October, showed that everyone – from major merchants to industrial boardrooms and consumers – has room for improvement.

Baergen

As we come to the close of the 2017 holiday shopping season, it’s worth mentioning that merchants and other companies transacting online cannot determine consumer identity solely based on personally identifiable information (PII) that is likely compromised.

Javelin’s report notes: “In the complex financial ecosystem of 2017, a bifurcated model of identity verification and authentication fails to meet the needs of accountholders or financial institutions. Accordingly, a much more holistic approach is needed to take into account a richer array of context around the identity and behavior of the consumer.

It’s not just the retail sector bearing the brunt of this. Many people (including employees) continue to reuse usernames and passwords across many sites. Perhaps it is time for employers to forbid their staff members from using off-duty passwords for corporate email accounts and, likewise, the use of workplace emails as secondary verification for personal accounts.

A leap from a user’s personal Gmail account into their workplace account sets up a scenario for new levels of successful so-called “whale phishing.”

Cybercrime isn’t “loners in the basement” anymore – it’s highly organized, well-resourced, and technologically advanced. The news of ongoing, massive-scale theft of Gmail credentials should be a wake-up call to fundamentally re-think authentication, and incorporate continuous validation techniques that can’t be mimicked, such as passive biometrics.

Emails contain crucial strategic information, and it’s time for providers to equip them with the security they deserve.

About the essayist: Lisa Baergen is marketing director at NuData Security Inc., a Mastercard company.